This post is also available in: 日本語 (Japanese)
Glupteba is advanced, modular and multipurpose malware that, for over a decade, has mostly been seen in financially driven cybercrime operations. This article describes the infection chain of a new campaign that took place around November 2023.
Despite being active for over a decade, certain capabilities that Glupteba’s authors have added have remained undiscovered or unreported – until now. We will focus on one intriguing and previously undocumented feature: a Unified Extensible Firmware Interface (UEFI) bootkit. This bootkit can intervene and control the OS boot process, enabling Glupteba to hide itself and create a stealthy persistence that can be extremely difficult to detect and remove.
While this threat began as a simple backdoor, it transformed into a potent botnet, emerging as a major player in the realm of cyberthreats. Since its discovery in the early 2010s, Glupteba has evolved significantly and undergone a series of stealthy metamorphoses. This threat is particularly known for its elaborate infection chains that showcase its operators’ continuous developments and their attempts to evade traditional security measures.
Palo Alto Networks customers are better protected from malware discussed in this article through products like Cortex XDR, our Next-Generation Firewall with Cloud-Delivered Security Services that include Advanced WildFire, Advanced Threat Prevention and Advanced URL Filtering. Additionally, Prisma Cloud Cortex XDR Cloud Agents or Prisma Cloud Defender Agents monitor for instances of known Glupteba malware. DNS Security can block malicious domains.
Specifically for UEFI bootkits such as Glupteba’s, the UEFI Protection module released as part of Cortex Agent 8.3 provides detection and prevention capabilities.
|Related Unit 42 Topics
A note on acronyms: this article uses multiple acronyms. We’ve listed out terms that are either used together in sequence or may be unfamiliar to analysts of different backgrounds.
|Driver signature enforcement
|EFI system partition
|Serial Peripheral Interface
|Unified Extensible Firmware Interface
|Universal PatchGuard and Driver Signature Enforcement Disable
About Glupteba’s PPI Ecosystem
Exploring Glupteba's Undocumented UEFI Bootkit
UEFI Bootkit Introduction
Uncovering Glupteba’s Bootkit Installer
EfiGuard in Glupteba
Summary of DSE Bypasses in Glupteba
Protections and Mitigations
Indicators of Compromise
Glupteba Binaries From the 2023 Campaign
2023 Campaign ZIP Files
EfiGuard Binaries Used by Glupteba
2023 Campaign Infrastructure
Location of Program Database (PDB) File From Glupteba in 2023
Glupteba is built to be modular, which allows it to download and execute additional components or payloads. This modular design makes Glupteba adaptable to different attack scenarios and environments, and it also allows its operators to adapt to different security solutions.
Over the years, malware authors have introduced new modules, allowing the threat to perform a variety of tasks including the following:
- Delivering additional payloads
- Stealing credentials from various software
- Stealing sensitive information, including credit card data
- Enrolling the infected system in a cryptomining botnet
- Crypto hijacking and delivering miners
- Performing digital advertising fraud
- Stealing Google account information
- Bypassing UAC and having both rootkit and bootkit components
- Exploiting routers to gain credentials and remote administrative access
In recent campaigns, threat actors mainly distributed Glupteba through pay-per-install (PPI) services, which allowed the operators of this malware to mass-infect machines all over the world.
The PPI ecosystem is a significant and profitable component of the cybercrime landscape. This model, which initially emerged as a means to distribute advertisements, evolved over the years toward a more nefarious purpose: the dissemination of spyware and malware.
This model facilitates widespread distribution of malicious software, as financially incentivized PPI service providers play a crucial role in disseminating malware. This includes threats ranging from advanced downloaders like PrivateLoader and SmokeLoader to versatile threats like Glupteba, RedLine Stealer, coin miners and even ransomware.
PPI service providers use different platforms to recruit affiliates and sell services. One of the most popular PPI services that spreads PrivateLoader is called Ruzki. Ruzki is operated by the user les0k on Russian hacking forums. Figure 2 shows an account overview of les0k on the Russian hacking forum WWH, also known as WWHClub.
To attract malware operators, PPI services sometimes post promotions and offer discounts. Pricing is based on the number of installations requested, and in most cases pricing is also based on region.
Figure 3 shows an example where a PPI service provider is requesting $70 USD for 1,000 installations worldwide, excluding Europe and the U.S. One thousand installations in Europe costs $500, and the same number of installations in the U.S. will cost the operator $1,200.
Since December 2022, Glupteba has sprung back into action, infecting devices worldwide after its operation was disrupted by Google in December 2021. The activity continued into 2023, when the Glupteba botnet reemerged in a new, ongoing and widespread campaign affecting multiple regions and industries. Organizations hit by this campaign were based in countries including Greece, Nepal, Bangladesh, Brazil, Korea, Algeria, Ukraine, Slovakia, Turkey, Italy and Sweden.
Similar to other recent campaigns, threat actors often spread Glupteba through web-based distribution and large-scale phishing attacks using bundled software installation files and cracks, as shown in Figure 4. This strategy has led to multiple malware infections.
The campaign has multiple stages, as shown in Figure 5. The first stage of an attack lures a user into downloading malicious ZIP files of fake installation files impersonating different software. Once the user downloads the ZIP file and attempts to install the software, the infection chain begins.
Threat actors often distribute Glupteba as part of a complex infection chain spreading several malware families at the same time. This infection chain often starts with a PrivateLoader or SmokeLoader infection that loads other malware families, then loads Glupteba.
For example, Figure 5 above shows a 2023 infection chain that starts with PrivateLoader, which led to SmokeLoader, which then led to a variety of other malware including two Glupteba samples.
The infection chain shown in Figure 5 is one of many similar chains we discovered in 2023. Our analysis of these recent campaigns revealed Glupteba’s use of an undocumented UEFI bootkit.
Before discussing Glupteba’s implementation of the UEFI bootkit, first is a short introduction to UEFI bootkits and their complexity.
UEFI is a specification that defines the architecture of the platform firmware used for booting the computer hardware and its interface for interaction with the operating system.
Figure 6 reveals the different stages of the boot process in a UEFI system.
In the stages before boot device selection in Figure 6, the system’s firmware is loaded from a Serial Peripheral Interface (SPI) flash memory. Then the EFI system partition (ESP), located in the boot device and containing the Windows Boot Manager, is loaded as the host boots into Windows.
A malware implant in the ESP is enough to execute code before Windows starts, where it can easily disrupt various security mechanisms. Another possibility is an implant in the SPI flash memory that executes code at earlier stages of the boot process, enabling even greater power and flexibility. However, malware using a firmware implant in flash memory requires higher privileges than using an ESP implant. This is more complex.
We start our analysis with a bootkit installer binary disguised as a legitimate Windows binary (csrss.exe). When analyzing this installer, a clear lack of strings and functions indicates the file is packed in some way. This means we have some work to do before we can analyze the actual logic of the installer.
After examining the installer with a dissembler, the main function appears to eventually jump into an address stored in dword_2FA3A2C as shown below in Figure 7.
Another function, dword_2FA3A2C, is assigned newly allocated heap memory and then set with PAGE_EXECUTE_READWRITE permissions (see Figure 8). Finally, this heap memory is filled with some data, which is at least partially executable.
Further unpacking takes place after jumping to this code, eventually allocating another RWX memory and jumping to it, as shown in Figure 9.
This memory area contains unpacked resources, including the PE file with the main installer logic. All other resources that are not related to the UEFI bootkit are out of scope here.
The installer has a function main_writeEfiGuard that writes files in the ESP as seen in Figure 10.
Summary of the operation of this function:
- The main_mountEFI function mounts the ESP into the B: drive
- B:\EFI\Microsoft\Boot\bootmgfw.efi is renamed to B:\EFI\Microsoft\Boot\fw.efi
- B:\EFI\Boot\bootx64.efi is renamed to B:\EFI\Boot\old.efi
- The asset embedded\bootmgfw.efi is written to B:\EFI\Microsoft\Boot\bootmgfw.efi and to B:\EFI\Boot\bootx64.efi
- The asset embedded \EfiGuardDxe.efi is written to B:\EFI\Boot\EfiGuardDxe.efi
These actions can be viewed as Cortex XDR events – see Figure 11.
The name of the function (main_writeEfiGuard) and the name of one of the dropped files (EfiGuardDxe.efi) immediately point us in the direction of EfiGuard.
EfiGuard is an open-source and portable UEFI bootkit that patches the Windows kernel by executing a UEFI driver (EfiGuardDxe.efi) to disable PatchGuard and driver signature enforcement (DSE). Figure 12 depicts the architecture of EfiGuard.
As documented in the GitHub project, EfiGuardDxe.efi can be executed either by installing it in a UEFI driver entry or booting a custom loader (Loader.efi) that loads the driver and then continues to load Windows. Glupteba uses the latter method.
In either case, the driver hooks the EFI Boot Service LoadImage function, which intercepts the loading of the Windows Boot Manager (bootmgfw.efi), starting a chain of patches that eventually patch the kernel (ntoskrnl.exe) as depicted in Figure 13.
The project supports two methods for disabling DSE. The first occurs at boot time, immediately after disabling PatchGuard. The second involves leaving a UEFI backdoor through a hook on the EFI Runtime Service SetVariable that allows user-mode code to read and write arbitrary kernel-space memory. The backdoor is complemented with a user-mode program (EfiDSEFix.exe) that utilizes the kernel read/write backdoor to patch DSE.
Using Bindiff for a similarity analysis of the two files Glupteba writes in the ESP quickly indicates they are a recompilation of the EfiGuardDxe.efi and Loader.efi components in EfiGuard, as shown below in Figures 14 and 15. Some code, such as logs, was removed from EfiGuard.
Glupteba replaces the Windows Boot Manager (bootmgfw.efi) with Loader.efi. The Loader.efi file loads the EfiGuardDxe.efi driver and then continues to load Windows.
It appears the threat author has manually modified and recompiled the driver code to use the boot time method to disable PatchGuard and DSE, as shown in Figure 16 below. Note that the driver configuration for the bypass method, stored in gDriverConfig, is set to DSE_DISABLE_AT_BOOT – see Figure 17. However, the author actually removed the code paths that check this configuration in our sample.
As documented in a previous analysis by Sophos, Glupteba formerly used Windows kernel drivers to hide itself. To successfully load these drivers, Glupteba used DSEFix or Universal PatchGuard and Driver Signature Enforcement Disable (UPGDSED).
DSEFix drops a known vulnerable driver and exploits it to disable DSE in kernel memory. UPGDSED runs in user-mode and patches the Windows kernel and Windows Boot Loader binaries for the same purpose.
Our current samples reveal that Glupteba has added EfiGuard to its arsenal of tools that are capable of disabling DSE.
In the installer, the function main_installDriver calls the previous function we analyzed (main_writeEfiGuard), which writes the files in the ESP. We give a high-level overview of the logic in this function in Figure 18 below, by grouping its nodes in IDA.
As revealed in Figure 18, any one of the three DSE bypasses we have mentioned (DSEFix, UPGDSED or EfiGuard) might be used, depending on the architecture, OS version and configuration. Unlike the BlackLotus ESP implant, we have not seen any evidence for Glupteba bypassing Secure Boot.
In the ever-evolving threat landscape, Glupteba malware continues to stand out as a notable example of the complexity and adaptability exhibited by modern cybercriminals.
The identification of an undocumented UEFI bypass technique within Glupteba underscores this malware's capacity for innovation and evasion. This novel method not only poses a significant challenge for detection but also highlights the pressing need for cybersecurity professionals to continually enhance their defenses and stay ahead of emerging threats.
Furthermore, with its role in distributing Glupteba, the PPI ecosystem highlights the collaboration and monetization strategies employed by cybercriminals in their attempts at mass infections. This model indicates that threat actors leverage underground economies to proliferate malware, and it emphasizes the importance of holistic cybersecurity strategies and multilayer security solutions that extend beyond traditional defenses.
Cortex XDR and XSIAM raised many alerts for the malicious activities observed in the 2023 campaign distributing Glupteba and other malware. Prevention and detection alerts revealed the different stages and different malware involved.
SmartScore, our unique ML-driven scoring engine that translates security investigation methods and their associated data into a hybrid scoring system, scored this incident an 86 out of 100, as shown below in Figure 19. This type of scoring helps analysts determine which incidents are more urgent and provides context about the reason for the assessment, assisting with prioritization.
For Palo Alto Networks customers, our products and services provide the following coverage associated with this group:
- The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research.
- Next-Generation Firewall with Cloud-Delivered Security Services including Advanced URL Filtering, Advanced Threat Prevention and DNS Security identify domains associated with this group as malicious.
- Prisma Cloud: Any cloud infrastructure running Windows virtual machines should monitor their Windows-based VMs using Cortex XDR Cloud Agents or Prisma Cloud Defender Agents. Both agents will monitor the Windows VM instances for known Glupteba malware, using signatures pulled from Palo Alto Networks Wildfire.
- Cortex XDR
- Prevents the execution of known malicious malware, and also prevents the execution of unknown malware using Behavioral Threat Protection and machine learning based on the Local Analysis module.
- Protects against credential gathering tools and techniques using the new Credential Gathering Protection available from Cortex XDR 3.4.
- Protects from threat actors dropping and executing commands from web shells using Anti-Webshell Protection, newly released in Cortex XDR 3.4.
- Protects against exploitation of different vulnerabilities including ProxyShell and ProxyLogon using the Anti-Exploitation modules as well as Behavioral Threat Protection.
- Cortex XDR Pro detects post-exploit activity, including credential-based attacks, with behavioral analytics.
- The UEFI Protection module detects and prevents advanced threats that target UEFI. In the case of Glupteba, Figure 20 shows the module blocking the malicious modifications made to the ESP.
If you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
- North America Toll-Free: 866.486.4842 (866.4.UNIT42)
- EMEA: +31.20.299.3130
- APAC: +65.6983.8730
- Japan: +81.50.1790.0200
Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
- Glupteba malware is back in action after Google disruption – Bleeping Computer
- Disrupting the Glupteba operation – Updates from Threat Analysis Group (TAG), Google
- Glupteba Expands Operation and Toolkit with LOLBins And Cryptominer – Malicious Life, Cybereason
- December 2022’s Most Wanted Malware: Glupteba Entering Top Ten and Qbot in First Place - Check Point Blog – Check Point Blog
- First UEFI rootkit found in the wild, courtesy of the Sednit group – ESET, LoJax white paper
- BlackLotus UEFI bootkit: Myth confirmed – We Live Security, ESET
- Glupteba malware hides in plain sight – Sophos News
- DSEFix: Windows x64 Driver Signature Enforcement Overrider – hfiref0x on GitHub
- UPGDSED: Universal PatchGuard and Driver Signature Enforcement Disable – hfiref0x on GitHub
- EfiGuard: Disable PatchGuard and Driver Signature Enforcement at boot time – Mattiwatti on GitHub
- PrivateLoader: the loader of the prevalent ruzki PPI service – Sekoia Blog
- PrivateLoader: The first step in many malware scheme – Intel 471